Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27364
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 62080 invoked by uid 1010); 11 Jan 2007 16:19:43 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 62065 invoked from network); 11 Jan 2007 16:19:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2007 16:19:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.189 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.146.189 mo-p07-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.189] ([81.169.146.189:62614] helo=mo-p07-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 82/43-42349-E9366A54 for <internals@lists.php.net>; Thu, 11 Jan 2007 11:19:43 -0500
Received: from [192.168.1.77]	(p5B005093.dip.t-dialin.net [91.0.80.147])
	by post.webmailer.de (klopstock mo10) (RZmta 3.11)	with ESMTP
	id j0BER70p0020c7;	Thu, 11 Jan 2007 17:19:30 +0100 (MET)
Date: Thu, 11 Jan 2007 17:19:30 +0100 (MET)
Message-ID: <45A66391.1090302@hardened-php.net>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Pierre <pierre.php@gmail.com>
CC: Alain Williams <addw@phcomp.co.uk>,  internals@lists.php.net,
  kel@securityfocus.com
References: <20070111144144.GV15998@mint.phcomp.co.uk>
	 <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net>
 <fe05d1540701110814u3f8de1ber4329d9c9c2a6e201@mail.gmail.com>
In-Reply-To: <fe05d1540701110814u3f8de1ber4329d9c9c2a6e201@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: sesser@hardened-php.net (Stefan Esser)


> For your information, zip is not enabled by default. If you have a
> bug/issue about the specific zip:// URL, please let me know. Ilia and
> Tony already fixed some paths fixes and the fixes are available in
> zip-1.8.4. They will be in 5.2.1.
For your information Pierre: Security Bugs in PHP are usually found by
me. So guess twice WHO told security@php.net that there are
bufferoverflows in zip:// URLs and WHY there have been bugfixes to ext/zip.

BTW: Last time I checked, popular packages like dotdeb PHP activate
ext/zip by default...

And yes... Also prepare for the ***more than 30 vulnerabilities*** I
disclosed to security@php.net during the last 3 weeks.

Have fun...
Stefan